Hi, After your mail, I checked the certs. You're right, my certs don't contain subjectAltName and other stuff if any. They were even failing the "openssl verify" (and hence the check-cert.sh) command. Actually I tried generating a csr using gen-ssl-keys.sh and then signing it, but didn't work. It's verified and installed by the install-cert.sh script, but sipxproc didn't work. I'll further investigate it. We have to use our own certificates for the production servers for a reason that's too boringly long for this list :)
Using the self generated certs, and setting the hostname to the one in the certs, did work. sipxproc -l works now. Thanks very much for the help. That didn't solve the LDAP sync problem though (I'm still getting the error message), and sipxproc -l states "PageServer failed" (All other services are running). I don't know if they're both the same problem or two different ones. I'll re-check and do the ldap based on the document again to see if I'm doing something wrong... Any other ideas? ________________________________________ From: Scott Lawrence [EMAIL PROTECTED] Sent: Monday, November 24, 2008 6:22 PM To: Tufan Karadere Cc: [email protected] Subject: Re: [sipx-users] hello, first impressions and a few problems On Fri, 2008-11-21 at 09:13 -0600, Scott Lawrence wrote: > On Fri, 2008-11-21 at 15:23 +0200, Tufan Karadere wrote: > > > > This, again I guess, may be something with our certificates, which are > > signed by our own CA. I put the CA cert into /etc/sipxpbx/ssl/cacert > > and it built the /etc/sipxpbx/ssl/.authorities.jks file, but I don't > > know. The hostname of the server (padme) is different from the > > hostname it gives the service with (sip), perhaps it's the cause, but > > I couldn't find a way to make everything use the "sip" hostname. In > > some logs, the default hostname still appears. > > This may well be at the root of your problems. I'm not clear on what > you mean by the hostname being different, but it doesn't sound good. > > The sipXecs SSL usages require that the certificates be built as > specified in > > http://www.ietf.org/internet-drafts/draft-ietf-sip-domain-certs-02.txt > > in short, the host name in the subjectAltName attribute of the cert > should match. > > If you'll post (or send me) the public part of your certificate, > including the public part of the ca certificate, I can check them to see > if they are compatible with our expectations (I'm travelling much of > today, so I won't see any reply until tomorrow morning). Looking at the certs you sent - they are not compatible with sipXecs expectations. If there is some reason why you feel strongly that you need to use your own self-signed certificate hierarchy (rather than the one our tool creates), you may be able to use your CA cert and key with the gen-ssl-keys.sh script (in .../bin/ssl-certs) to create sipXecs-compatible certificates. See the instructions with --help. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
